From 5e3ef3e95843aa92eee6ed22d6d38d41d43d04a0 Mon Sep 17 00:00:00 2001 From: filip mertens Date: Wed, 28 Feb 2024 22:27:16 +0100 Subject: [PATCH] harden --- .circleci/config.yml | 1 + apps/remixdesktop/entitlements.mac.plist | 13 ++++++++++ apps/remixdesktop/package.json | 26 +++++++++++++------- apps/remixdesktop/src/entitlements.mac.plist | 19 -------------- apps/remixdesktop/yarn.lock | 9 +++++++ 5 files changed, 40 insertions(+), 28 deletions(-) create mode 100644 apps/remixdesktop/entitlements.mac.plist delete mode 100644 apps/remixdesktop/src/entitlements.mac.plist diff --git a/.circleci/config.yml b/.circleci/config.yml index 30e4f8b010..0ec98ca3d4 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -309,6 +309,7 @@ jobs: cd apps/remixdesktop xcrun notarytool store-credentials "notarytool-password" \ --apple-id ${APPLE_ID} \ + --team-id ${APPLE_TEAM_ID} \ --password ${APPLE_ID_PASSWORD} # Assuming your app is packaged as a dmg or zip for notarization xcrun notarytool submit 'release/Remix IDE-0.0.11-Alpha.dmg' \ diff --git a/apps/remixdesktop/entitlements.mac.plist b/apps/remixdesktop/entitlements.mac.plist new file mode 100644 index 0000000000..0be645bdc8 --- /dev/null +++ b/apps/remixdesktop/entitlements.mac.plist @@ -0,0 +1,13 @@ + + + + + + com.apple.security.cs.allow-jit + + com.apple.security.cs.allow-unsigned-executable-memory + + com.apple.security.cs.allow-dyld-environment-variables + + + \ No newline at end of file diff --git a/apps/remixdesktop/package.json b/apps/remixdesktop/package.json index 855777b5c4..ea280fd76c 100644 --- a/apps/remixdesktop/package.json +++ b/apps/remixdesktop/package.json @@ -30,6 +30,7 @@ "postinstall": "electron-builder install-app-deps" }, "devDependencies": { + "@electron/notarize": "^2.3.0", "@electron/rebuild": "^3.2.13", "@types/byline": "^4.2.35", "@types/express": "^4.17.21", @@ -69,13 +70,15 @@ "files": [ "build/**/*" ], - "publish": [{ - "provider": "github", - "owner": "bunsenstraat", - "repo": "remix-desktop", - "releaseType": "draft", - "publishAutoUpdate": true - }], + "publish": [ + { + "provider": "github", + "owner": "bunsenstraat", + "repo": "remix-desktop", + "releaseType": "draft", + "publishAutoUpdate": true + } + ], "mac": { "category": "public.app-category.productivity", "target": [ @@ -88,10 +91,15 @@ } ], "icon": "assets/icon.png", - "darkModeSupport": true + "darkModeSupport": true, + "hardenedRuntime" : true, + "gatekeeperAssess": false, + "entitlements": "entitlements.mac.plist", + "entitlementsInherit": "entitlements.mac.plist" }, "dmg": { - "writeUpdateInfo": false + "writeUpdateInfo": false, + "sign": false }, "nsis": { "createDesktopShortcut": "always", diff --git a/apps/remixdesktop/src/entitlements.mac.plist b/apps/remixdesktop/src/entitlements.mac.plist deleted file mode 100644 index 82943bc32d..0000000000 --- a/apps/remixdesktop/src/entitlements.mac.plist +++ /dev/null @@ -1,19 +0,0 @@ - - - - - com.apple.security.cs.allow-jit - - com.apple.security.cs.allow-unsigned-executable-memory - - com.apple.security.cs.disable-executable-page-protection - - com.apple.security.cs.disable-library-validation - - com.apple.security.network.client - - com.apple.security.network.server - - - - diff --git a/apps/remixdesktop/yarn.lock b/apps/remixdesktop/yarn.lock index fc9e558ee8..8a38dce62f 100644 --- a/apps/remixdesktop/yarn.lock +++ b/apps/remixdesktop/yarn.lock @@ -37,6 +37,15 @@ optionalDependencies: global-agent "^3.0.0" +"@electron/notarize@^2.3.0": + version "2.3.0" + resolved "https://registry.yarnpkg.com/@electron/notarize/-/notarize-2.3.0.tgz#9659cf6c92563dd69411afce229f52f9f7196227" + integrity sha512-EiTBU0BwE7HZZjAG1fFWQaiQpCuPrVGn7jPss1kUjD6eTTdXXd29RiZqEqkgN7xqt/Pgn4g3I7Saqovanrfj3w== + dependencies: + debug "^4.1.1" + fs-extra "^9.0.1" + promise-retry "^2.0.1" + "@electron/rebuild@^3.2.13": version "3.2.13" resolved "https://registry.npmjs.org/@electron/rebuild/-/rebuild-3.2.13.tgz"